Considering aggregate portfolio risk is critical for insurance companies—which means it’s important to differentiate between concentration risk and aggregation risk.
Concentration risk is taken on if many entities in your portfolio all share a common dependency, like a third-party vendor. If this third party experiences a cybersecurity vulnerability or incident, it could affect a number of your insureds in a negative way. Aggregation risk, on the other hand, is defined as the financial, resource-based, or reputational impact when a concentration risk leads to an accumulation of losses within your portfolio.
Let’s break that down even further. By not considering aggregation risk in your book of business, you take on the following risk impacts:
- Financial impact: Arguably, this is the most important potential effect, as you may have to pay out claims due to your aggregate risk. And coverable events aren’t just expensive due to the direct costs of a claim (including first- or third-party expenses and damages) but also because of the resources you’ll use in responding to that claim.
- Resource-based impact: If a concentration risk in your organization is large, there’s a good chance other insurers are seeing it as well. The problem is, if a large event takes place, a number of insurance companies could all be reaching out to the same third party—for example, a forensic firm—to help them with all the claims coming in. This could create a systemic issue in the insurance environment.
- Reputational impact: If you handle a claim situation poorly, your brokers and insureds will remember—which will impact your reputation as an insurance company. Similarly, if you experience a significant number of losses due to aggregate portfolio risk, your reputation will also be impacted. Keep in mind that this impact can reach across your insurance companies to other lines of insurance as well.
To understand portfolio aggregate risk, be sure to take the following things into account.
1. Determine which of your service providers have the concentrations of risk you should focus on.
Just because a service provider has high concentration risk with your portfolio doesn’t necessarily mean it’s going to result in a bad situation; that depends on the quality of the service provider. For example, let’s say half of your insureds are dependent on a large, widely known web service provider and the other half are dependent on a smaller, lesser-known web service provider. Using Security Ratings, you could find that the large web services company has a score of 600, while the smaller web service provider has a score of 300. If this is the case, the smaller web service provider is going to give you more concern, as the lower rating may be linked to certain cyber vulnerabilities which could result in future issues for your portfolio. This knowledge can also help you focus your efforts in researching the differences between both service providers in more detail. So even though the larger web services company may be contributing to a concentration risk in your portfolio, it might be better for you to concentrate your efforts on the smaller of the two.
2. Take your portfolio characteristics into account.
As an insurer, you’ll need to aggregate your actual limit exposures. For example, if you’ve written insurance contracts saying you’re willing to take on a certain dollar amount of risk—it’s important to keep in mind what the relative coverages are as well as the dollar limits associated with those coverages. Consider also adding some element of “silent” cyber exposures to this accounting.
3. Consider the scenarios that could trigger losses.
You should be prepared for a number of scenarios—from a data breach event, to ransomware, to a business continuity issue, to a service provider outage—that could impact to your insureds and result in losses to your portfolio. These scenarios can hit various coverages within the insurance policy, so the more you understand about the scenario, the better chance you have at accurately modeling the impact.
Discover Your Aggregate Portfolio Risk
Running your portfolio through BitSight Discover provides you with concentration risk levels so you can instantly see how many insureds are relying on the same critical IT service providers. This makes it far easier to then determine the criticality of those third parties as it relates to your book of business, leaving you more time to concentrate your efforts on delivering on your underwriting and enterprise risk management strategies.